ClawHub

Revolut

Security checks across malware telemetry and agentic risk

Overview

This Revolut skill appears purpose-built rather than malicious, but it handles banking login material and reusable session data in a way users should review carefully.

Install only in a private, trusted workspace. Avoid putting the Revolut PIN in config.json unless you accept the risk, keep the revolut workspace directory out of sync/backup/source control, run logout after use, and treat all generated JSON/debug output as sensitive financial records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs sensitive actions involving banking data, browser session persistence, file I/O, environment access, and network communication, but does not declare corresponding permissions. This undermines least-privilege review and can cause users or orchestrators to authorize a skill without understanding that it can access and persist sensitive financial/session data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose says the skill handles login/logout, account listing, and transactions, but the behavior expands into investment portfolio access, investment transaction history, synthetic account generation, and endpoint enumeration. In a banking context, undocumented capability expansion is risky because it broadens access to additional sensitive assets and data beyond what a user may have intended to authorize.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code implements Revolut Invest portfolio and trading-history access that is not disclosed in the skill metadata or top-level description. This expands the privilege and data-access scope from ordinary banking automation into brokerage holdings and securities transactions, which can expose additional sensitive financial data and violate user expectations or approval boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes undocumented portfolio-discovery and endpoint-scanning commands beyond the stated skill purpose. Hidden or undocumented capabilities are dangerous because they prevent informed consent, complicate review, and may enable broader authenticated data collection than users or operators expect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The invest-scan command performs authenticated endpoint reconnaissance by observing and listing internal /api/retail URLs after login. In a financial automation context, this behavior is not necessary for routine user tasks and could be abused to map private APIs and support further unauthorized data extraction.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring advertises only login/logout, accounts, and transactions, while the actual CLI also supports portfolio access, investment transactions, and endpoint scanning. This mismatch reduces transparency and can conceal materially broader functionality from reviewers and users in a high-sensitivity banking context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup documentation explicitly recommends storing a Revolut app PIN in plaintext inside a local JSON configuration file. Even if intended for convenience, this creates a recoverable secret at rest that may be exposed through workspace access, backups, logs, screenshots, or source control, and the credential is directly tied to financial account access workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill processes highly sensitive banking information and stores per-user browser session state locally, yet the description lacks an explicit warning about privacy, retention, and local storage risks. In this context, users may unknowingly leave reusable authenticated sessions or exported financial records on disk, increasing exposure to local compromise or accidental leakage.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists authenticated session state and a browser profile to disk for reuse, but does not provide explicit disclosure or protection expectations around these sensitive artifacts. If other local users, processes, or tools can read those files, they may gain access to the user's Revolut session without reauthentication.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads a PIN from local configuration and automates its entry into the login flow without prominent disclosure. In a financial-login context, silently consuming a stored PIN increases credential-handling risk and may normalize insecure storage of highly sensitive authentication factors.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal